A damaging new report from Ofcom, the UK’s communications regulator, has delivered a stark verdict: TikTok and YouTube’s content feeds are “not safe enough” for children. This isn’t just another regulatory slap on the wrist. Ofcom is putting out a wake-up call for anyone working in cybersecurity, threat intelligence, and online safety.
In its own words:
“Notably, TikTok and YouTube failed to commit to any significant changes to reduce harmful content being served to children, maintaining their feeds are already safe for children.”
On the positive side, Snap, Meta, and Roblox agreed to adopt further safety measures to protect children from online grooming and “stranger danger.”
The BBC reports that an Ofcom survey found 84% of children aged 8 to 12 were still using at least one major service with a minimum age of 13. We reported earlier about how easy it was to fool some of the age verification methods. Researchers using under-13 accounts also reported encountering sexual content and offensive language shortly after entering specific Roblox games.
Speaking of Roblox, The Guardian reports that US advocacy groups have formally requested the Federal Trade Commission (FTC) investigate Roblox for what they call “unfair and deceptive” practices. The complaint focuses on:
- In-game purchases pressuring children to spend money
- Chat functionality exposing children to strangers
- Features designed to maximize engagement, which critics argue may be addictive
Drew Benvie, CEO of Battenhall and founder of youth safety nonprofit Raise, noted:
“Although Roblox is implementing new age-based safety measures, young players are adept at circumventing these protections.”
The cybersecurity point of view
What keeps cybersecurity researchers up at night is another angle to this problem. Many proposed age assurance solutions require users to hand over government IDs or biometric selfie data. We already talked about this in our blog, Age verification: Child protection or privacy risk?
Age verification systems create massive data collection opportunities that become prime targets for:
- Data breaches exposing sensitive personally identifiable information (PII)
- Identity theft facilitated by centralized ID databases
- Biometric data theft, which cannot be changed like passwords
- Malware and scams targeting users on less-secure platforms
When restrictions push young users toward smaller or less secure sites, they encounter:
- No basic safety protections
- Higher exposure to malware
- Increased phishing and scam risks
- Unmoderated harmful content
This is exactly what we see in threat intelligence: As defenders secure one vector, cybercriminals adapt and move elsewhere.
Safer systems beat stricter age gates
Protecting children should focus on building safer digital experiences overall. This is the only viable path forward because:
- Stronger moderation actually removes harmful content rather than just blocking access
- Safer recommendation systems prevent algorithmic amplification of harmful content
- Better platform accountability means companies can’t prioritize engagement over safety
- Avoiding invasive data collection prevents creating massive honeypots for attackers
As someone who analyzes malware and threats daily, I can tell you: security through obscurity (age gates) doesn’t work. Security through robust system design (moderation, safer algorithms, accountability) does.
Scammers don’t need to hack you. They just need you to click once.
Malwarebytes Identity Theft Protection catches suspicious activity before it becomes a problem.